ssh-agent icon indicating copy to clipboard operation
ssh-agent copied to clipboard
verified publisher icon webfactory

Support for deploy keys

Open paigeadelethompson opened this issue 1 year ago • 11 comments

When creating the deploy key for a repository like [email protected]:owner/repo.git or https://github.com/owner/repo, put that URL into the key comment. (Hint: Try ssh-keygen ... -C "[email protected]:owner/repo.git".)

doesn't work, did it really ever though?

paigeadelethompson avatar Dec 06 '24 21:12 paigeadelethompson

The reason why I ask is:

Added deploy-key mapping: Use identity '/home/runner/.ssh/key-9afee5aba32d34d4808381171428163bfab52f783f2c99f98ecce81fb90c9682' for GitHub repository xxxxxxxx

Run cargo build --verbose
warning: unused manifest key: source
    Updating crates.io index
    Updating git repository `xxxxxxxxxxxx`
warning: spurious network error (3 tries remaining): failed to resolve address for key-9afee5aba32d34d4808381171428163bfab52f783f2c99f98ecce81fb90c9682.github.com: Name or service not known; class=Net (12)

seems unlikely that ever worked :)

paigeadelethompson avatar Dec 06 '24 21:12 paigeadelethompson

I spent quite some time, debugging through a different rabbit hole since the documentation seems to show that this was the answer. But I had ran into the same issue where, at the end, only the first ssh-private-key was picked up. Should the documentation be updated at this point to prevent confusion or has there been a fix already?

wannieman98 avatar Jan 09 '25 19:01 wannieman98

It works in v0.7.0 but it seems like it has been broken since then

declancm avatar Apr 07 '25 22:04 declancm

For me, setting CARGO_NET_GIT_FETCH_WITH_CLI in the workflow file helped. I am using the latest version v0.9.1.

env:
  CARGO_NET_GIT_FETCH_WITH_CLI: true

yellowmint avatar May 11 '25 16:05 yellowmint

the action works fine with deploy keys.

see https://github.com/basepom/inline-maven-plugin/actions/runs/14958381836/job/42017223603 for a recent, successful flow deploying pages and https://github.com/basepom/inline-maven-plugin/actions/runs/14958381836/workflow for the workflow file.

you

  • create a ssh key pair. Add the git url for the target repo as comment. In this example, it is [email protected]:basepom/basepom.github.io.git
  • enable deploy keys for your org.
  • add the public key to the repository that holds the site as deploy key. check the "write" checkbox
  • add the private key as a secret either to the repository that creates the site or the organization (if you create multiple sites). In the example above, the secret is in secrets.BASEPOM_GITHUB_IO_DEPLOY_KEY.

use

- uses: webfactory/[email protected]
    with:
        ssh-private-key: ${{ <secret key reference> }}

in your workflow.

hgschmie avatar May 11 '25 18:05 hgschmie

It is not working for me neither. I did exact steps as mentioned by @hgschmie. Generated key without password like

ssh-keygen -t ed25519 -C "[email protected]:<ORG>/<REPO>.git" -f deploy-key-<REPO> -N ""

Allow deploy keys in organisation. Added deploy pub key to project I want to download. Added private key to secrets. Used the action

- uses: webfactory/[email protected]
    with:
        ssh-private-key: ${{ secrets.<secret key reference> }}

I tried action versions 0.9.1, 0.9.0 and also 0.7.0 (because someone mentioned it here) I tried also option with wrong and correct deploy key comment. I got two different logs from the action

Added deploy-key mapping: Use identity '/home/github-runner/.ssh/key-f8f50e61c8adb6338a94ce3cde7ce43020da2ca0804612453019c5f41ba47e24' for GitHub repository <REPO>

or

Comment for (public) key 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFJOhC61dlLReGk2OJTredYw43uk3zaY3c3YsVW/6Xcy <REPO>' does not match GitHub URL pattern. Not treating it as a GitHub deploy key.

because in the working example it is actually not matching https://github.com/basepom/inline-maven-plugin/actions/runs/14958381836/job/42017223603

I also tried enable/disable write access.

I'm using this tool https://github.com/coralogix/protofetch. And I get the same error

[info] ERROR failed to resolve address for key-f8f50e61c8adb6338a94ce3cde7ce43020da2ca0804612453019c5f41ba47e24.github.com: Name does not resolve; class=Net (12)

On my local machine I just use ssh-add ~/.ssh/<PERSONAL-KEY> and it works without problems.

fokot avatar May 15 '25 18:05 fokot

I assume when you write "download" you mean "repository that I want to deploy to". Did you add the pub key as a deploy key? For me, that key lives at https://github.com/basepom/basepom.github.io/settings/keys and looks like this:

Image

The deploy pipeline (which runs in the repo that wants to deploy, e.g. the inline plugin) then has access to the private key through a repository or organization secret.

For me that lives at https://github.com/organizations/basepom/settings/secrets/actions/<magic key name>

Image

and has been configured to be accessible by the specific repository that runs the deploy pipeline.

hgschmie avatar May 15 '25 23:05 hgschmie

I see, now I know why you need write access for deploy key. I'm not deploying to repository. I want in one pipeline download other repository. I know I can use another actions/checkout@v4, but I use one tool, which works also locally and without problems. And yes I have deploy public key in the repo I want to deploy and private key in organizational secrets.

fokot avatar May 16 '25 08:05 fokot

BTW, I fixed the comment in the key and now it looks like this:

Image

hgschmie avatar May 16 '25 16:05 hgschmie

In my case problem is somewhere in runner. On different runner it runs ok. We are using self-hosted runners. Even restart does not help.

fokot avatar May 20 '25 12:05 fokot

It was problem on the machine, .ssh/config and ~/.gitconfig were broken. After deleting both it started to work. Deleting just ssh didn't help.

fokot avatar May 22 '25 11:05 fokot